About Smart Cards

What is a Smart Card?

A smart card is a personal device that provides an intelligent link between the user and the system being used. It can help to make a system usable by the widest possible community of users by allowing the system to provide users with the best interface for their needs.

A smart card is a device that contains a secure computer chip. The chip contains a secure data processing application that is linked to a service. Often the smart card device is in the form of a traditional plastic card.

Different form factors (for example, a key fob) and new carrier devices (for example, a chip embedded in a mobile phone) are starting to emerge. These devices aim to improve ease of use and increase convenience for the user. Carrier devices with embedded smart cards are sometimes referred to as smart media as they can contain additional elements such as keypads, screens and speakers.

Data is retrieved from a smart card chip using a reader that is part of a terminal. Examples of terminals include point-of-sale terminals, self-service cash dispensers and access control gates. The interface between the reader and the smart card chip can be achieved in two ways, either by:

Direct contact between the reader and the chip contacts (referred to as a contact smart card); or

Wirelessly without contact (referred to as a contactless smart card).

Until a few years ago, advanced security functions could only be provided using contact smart cards. However, with the latest generations of smart card chips, both contact and contactless smart cards can deliver the same highly secure applications.

Currently, therefore, the choice of smart card type is based on how the device is to be used rather than its interface. For instance, as there is no physical connection, the interface to contactless cards is more robust and reliable than for contact cards and typically offers faster transaction times. Contact cards tend to be more suitable for uses where the card must be present at all times. For example, security for mobile telephone calls is provided by the subscriber identity module (SIM) smart card that is always in the mobile phone handset.

Smart Card Uses

The smart card chip contains one or more data processing applications that address business needs. Typically, the needs are for smart card applications to provide:

Digital identity functions (such as the SIM for mobile phones or the viewing card for conditional access in subscription TV);

Digital value functions (such as a fare payment application for public transport); or

Over the past decade or so, large-scale smart card application deployments have progressed from payment cards for public telephones through SIMs for mobiles and conditional access cards for TV, to include credit/debit cards for retail payments, contactless cards for public transport and smart cards for national identity projects. In some countries, payment cards are starting to move to contactless smart cards to take advantage of increased transaction speed and user convenience.

Contactless smart cards are also starting to be embedded in passports. The International Civil Aviation Organization (ICAO) standards for machine readable travel documents cover the use of smart cards for visas and passports. These standards include the use of a digitised passport photo of the holder stored in the application on the smart card chip. The digitised photo cannot be interpreted by a computer terminal but is displayed on the terminal to allow a human operator to compare it with the individual holding the passport. As this use is not computerised, the digitised photo is not considered a machine-readable biometric (a biometric is a digitised representation of a physical feature of a person). To complement this, some countries are choosing to add machine-readable biometrics (such as fingerprints) to the information stored on the card.

Belgium is assessing extending its national identity smart cards to include a health application;

France (which started a health smart card in 1998) is expected to roll out an updated version of their health card in 2006 at the same time as a new national identity card is rolled out;

Italy is expected to replace its current paper national identity card with a smart card over the next five years, which is to include health and passport functions; and

Spain is starting to roll out a new national identity smart card that will also include passport functions but is not expected to include health.

Cardholder Authentication

For many applications, it is important that the user of the card can be verified as being the legitimate card user. This is called cardholder authentication and, most often, is achieved by a personal identification number (PIN). In some applications, and government ones in particular (see the passport example above), cardholder authentication methods are moving from PINs to biometrics. For example, it is expected that the new French identity card will include fingerprints as well as a digitised photo and that the Italian card will conform to ICAO standards with the addition of fingerprints.

Using biometrics for verification can make services easier to use as users do not have to remember PINs or complicated authentication mechanisms. However, biometric systems are not perfect and require that the balance between the accuracy of the system and its usability be built into the system. A population-scale service using biometrics that is even 99.9% accurate will lead to thousands of people being prevented from carrying out legitimate transactions. One way of addressing this is by combining multiple biometrics (for example, a fingerprint with voiceprint).

It is worth noting that some applications, notably public transport, do not require cardholder authentication. For public transport applications, transaction speed is most important and possession of the card is enough for its use. As a contactless card offers significant speed and reliability advantages over traditional tickets, many cities worldwide have smart card ticketing systems. Smart card rollouts for public transport appear to be happening on a city basis rather than countrywide, an exception being The Netherlands where a co-ordinated nationwide approach is being undertaken.

Smart Cards Types

As introduced above, contact smart cards (as defined in ISO 7816) are plastic cards usually of a size known as ID-1 (the traditional credit card size as defined in ISO 7810) that store the information on an electronic chip. This can be a memory-only chip (often used for public telephony applications) or it can incorporate a microprocessor, which gives the capability of adding additional data security features (typically used for financial and identity applications). These cards are read by inserting the card into a reader, where contacts in the reader touch contacts on the card to read information from the cardâ€™s electronic chip.

By incorporating an aerial within the plastic sheets of a card, the card can be read at a distance of up to 10cm. These are contactless cards (as defined in ISO 14443) and are common in public transport applications where speed of throughput is the primary consideration. Visa, MasterCard and American Express are starting to offer contactless cards for payment applications and it is likely that the technology will be introduced for payments in western Europe in the next few years.

This technology is similar to a passive radio frequency identity (RFID) tag but it operates at a different radio frequency with different protocols. Typically, passive RFID tags are used for retail tagging, animal chipping and other identity applications.

Vicinity cards (as defined in ISO 15693) operate at a distance of between 10cm and 1 metre. These cards are not yet in widespread use and their market penetration will largely depend on the perceived economic benefits to the service providers. For users with a disability, they could offer a range of new facilities (e.g. For a blind user, giving an audible announcement of the destination of the bus before entering the bus).

Cards that operate at a range greater than 1 metre are for applications such as tolls on roads. These cards, often referred to as active tags, have to be used in a device which incorporates a power supply such as a battery.

Smart Cards in Mobile Phones

Even though the conventional format is a card, smart cards can be in many other forms such as key fobs. There has been a recent trend towards embedded contactless cards into personal devices, such as in a wrist watch, which are often referred to as smart media. The most promising of these initiatives, which is likely to result in mass deployment, is the embedding of wireless proximity technologies in mobile phones. This technology is referred to as near-field communication (NFC). The aim of NFC is to enable seamless wireless communication between two consumer devices that are simply tapped together.

NFC enables devices to operate in either active or passive contactless modes, allowing, for example, an NFC mobile phone handset to act as a reader of other contactless devices or act as a passive contactless smart card in its own right.

The features of NFC can be used to improve service usability. For example, if a sign at a bus stop contained a passive tag, simply tapping the sign with an NFC phone could automatically call an information line or allow travel information to read-out using the phone speaker. In a more traditional way, a transport ticketing application could be loaded into a customer's NFC phone and tapped on a ticket barrier to provide the same functionality as a conventional contactless smart card.

Although a relatively recent technology, NFC is expected to roll out quickly. This is because mobile handset replacement cycles are relatively short since new features are continuously being introduced by both handset manufacturers and mobile phone operators.Research published in September 2006 from US-based ABI Research predicts that, by 2011, more than 30% of all mobile phone handsets will incorporate NFC.

Apart from a few pilot services in payments, public transport applications are seeing the first implementations of contactless smart card services embedded in mobile phone handsets, with the Felica deployment in Japan being the leading scheme. As the mobile phone is ubiquitous, many commentators suggest that there is a natural convergence for smart card applications to be present on mobile devices.

Smart Card Benefits

Since a smart card belongs to an individual user, information can be stored that has the potential to tailor services to that user. Smart cards can carry very specific information about a person, such as health records. Smart cards can also be used to help people control devices. For example, an electronic medicine dispenser could be designed to release specific tablets to a person, which could help avoid the difficulties some people have in remembering what tablets to take or at what intervals.

For older users or those with disabilities, a smart card can carry information that tells a terminal to:

Allow the user more time;

Simplify choices, such as issuing a preset amount of money;

Use larger characters for people with low vision; or

Provide audio output of information, through an earphone for confidential information.

There are many occasions when audio output would be convenient and a smart card could inform a terminal when this would be the case (for example, a smart credit/debit card inserted into a device would trigger the device to speak the transaction logs on the card allowing the user to check their most recent transactions).

Many cards use a 4-digit personal identification number (PIN) to verify the cardholder. People with dyslexia often have problems in remembering a 4-digit PIN in the correct order, so are likely to prefer alternative biometric systems for authentication. The selection verification method can be made to match the cardholder and extend a service to more users.

The use of appropriate technologies can make a system usable by the widest possible community of users. A smart card can be a key technology in this and can provide an intelligent, tailored link between the user and the system, allowing the system to provide the user with the best interface for their needs. This approach can reduce dependency on manual support and help to reduce overall service costs.